One Award, Two Conferences and a Surprise in the Works

5 Comments April 28, 2013 Thom Langford

I am just returning from a very full three days in west London for the annual infosec conference season. I will do my best to name as many of the wonderful people I met throughout all three days, both new and old, but if I miss a namecheck or two, forgive me, let me know, and I will rectify immediately!

Tuesday bought the kick off of InfoSec Europe. After a quick run round to get some schwag and chat with a few key vendors I had lunch with Cindy (@cindyv), Dwayne (@thatdwayne), Jitender (@jitenderarora), Javvad (@j4vv4d) and Brian (@brianhonan) to chat about RSA Europe and our proposed submissions. This was quickly followed by a couple of panels in the Keynote theatre (one moderated by Javvad) and then some good gossiping with Brian and Neira (@neirajones) before heading off to one the two award ceremonies of the night.

Well goodness, gosh and golly!

It was at this point the evening took a somewhat surreal turn. Having been nominated for Best Personal Security Blog at the inaugural European Security Bloggers Awards, I was both deeply honoured and supremely surprised to win! I was also very proud to see Javvad pick up two awards as well. To say that the evening started to blur somewhat from that point on would be an understatement, but I am glad to say that the award itself did make it home safely. I did spend quite some time talking with Dwayne and Jack (@jackdaniel), predominantly about the mysogeny that still manages to find its way into infosec trade shows through booth babes that were supposedly banned form this years infosec show (looking at you ForeScout…) and then about possibly spinning up a BSides in India. Jack proved what a class act he was by offering to advise anyone who would be willing to take on this mantle in India, something I am hoping to encourage. I will be posting more on the awards in the next few days but suffice to say a huge thank you to Brian and Jack for making these awards happen.

Wednesday bought BSidesLondon. Whilst I was very disappointed not to have been able to speak it did take the pressure off considerably and I was able to enjoy a few good talks

Javvad and his heroes

(javvad and Stephen Bonner, @stephenbonner) and some great conversations with friends and colleagues. Max (@hoolers) if you are reading this, I apologise unreservedly for not getting around to having the chat I promised! I also managed to meet my “rookie” for the Rookie Track, Gavin (@gavinholt), as well as a great chat with Leron (@le_rond). Halfway through the afternoon I had to head back to InfoSec for my a panel I was a part of on BYOD and Consumerisation. This went very well, was entertaining and informative in my opinion, and despite two attempts at distracting me by Geordie Stewart and Andrew (@sirjester) completed without incident!

View from the panel

A quick visit to the RANT forum (@rantforum) was followed by a couple of drinks at the BSidesLondon after party and then an early night.

Thursday bought a couple of early meetings including Bruce to discuss the Analogies Project (@analogies) which is always a pleasure. I then formally went on vacation…

The rest of the day was taken up with filming for a project I am involved in with Javvad, Andrew and the very talented Jim (@jimshields) of Twist & Shout. More of that to follow in the coming few weeks but I am incredibly excited at what this project may bring not just to me personally but also to the infosec community as a whole (for instance, a sense of humour…).

After dinner with @secwonk, @gattaca, @turbodog, @anthonymfreed, Cindy, Javvad and Andrew, a weary but very satisfied Mr Langford returned home.

Highlights

Winning the Best Personal Security Blog Award
Thursday afternoon (see above)
ForeScout’s apparent admittance that they needed booth babes to help sell their product

Lowlights

Missing Gavin’s presentation because of a scheduling conflict
Not finding myself spoilt for choice for presentations to attend at BSides – I thought the choice was predominantly technical and not as broad as last year. Still a great conference, well run and with a huge amount of talent; just less applicable to me this year.

We turned around, and there he was… gone!

2 Comments April 18, 2013 Thom Langford

This is a picture taken in Starbucks, just a few minutes ago. Can you guess what’s missing?
Why the owner felt it was a good idea to go to the toilet (while carefully taking his iPhone with him, because otherwise it might get stolen!), leaving his laptop in a busy room where it could be easily removed is beyond me. It was made worse because when I peeked around the screen, it was also not screen locked.
With so much noise and argument going around the infosec community at the moment around security awareness the lazy conclusion would be that all users are idiots and need their hand holding all the time before they hurt themselves with their private data. Of course it is never that simple but it is no less infuriating to see this kind of attitude in practise. Where do we go from here in trying to avoid these situations?
I have a colleague who likes to highlight that we should consider our laptops and tablets and other various devices as “bathroom buddies”. I didn’t like this term at first (my knee-jerk reaction against the American use of the term bathroom), but it really does make sense. When in a public place such as a cafe, train etc and you need the toilet or a break, take your equipment with you! It is a simple alliterated phrase that sticks in the mind, makes you smile and therefore might actually make someone change their behaviour.
On the subject of humour, there was an XKCD cartoon very recently that summed this up perfectly.
The point is that this individual who left himself logged in could have had untold damage done to his personal and professional reputation if I was so inclined. Facebook posts, Tweets, work emails, Amazon orders etc could all potentially have caused him grief. Sure, after the fact he could probably “tidy up” the mess, but why put yourself in this position?
In the security awareness debates, system design is often touted as the way ahead, and in actual fact I think this may have come to the aid of our hapless coffee drinker, if he was lucky. The laptop itself looks like a new MacBook Pro, possible a Retina given the new style charger. That would mean he would be running Lion or Mountain Lion, which means FileVault is installed, although not enabled by default. If it was enabled and I ran out of the cafe with his laptop chances are when I sat down at the nearest park bench to check my prize the laptop would have locked and required a password. There is a good chance there that his data would be secure and encrypted. The same would be true if it was a Windows 7 or 8 laptop. The problem here though is that the key phrase above is “not enabled by default”. It’s great these operating systems now come with encryption built in, but there aren’t even annoying prompts a la Microsoft that, for instance, I don’t have an anti virus program installed; it is left entirely to the user to be educated and security savvy enough to enable it. I have joked on this blog before that encryption today is at the same level of anti virus of twenty years ago (Dr Solomon’s anyone?). Today, I would wager virtually everyone knows about anti-virus, and in fact it is often bundled and enabled by default on new laptops. (I am not going to take this opportunity to talk about the efficacy of anti virus as an endpoint protector!). When will encryption become such a commodity that you are an oddity if you don’t have it?
This isn’t a particularly racy topic, but it is one that is played out every day in cafes around the world. As every teacher will tell you, when you get the fundamentals right, the rest will follow far more easily. This person really should have known better, but when will we be at a point that he wouldn’t have had to?

Boston 15th April 2013

Leave a comment April 15, 2013 Thom Langford

My thoughts and wishes are with all my friends, colleagues and acquaintances in Boston at the moment following the multiple explosions centred around the Boston Marathon. I hope you and your loved ones are all safe and accounted for.

From Paris With Love; the oncoming storm of the generational gap

Leave a comment April 15, 2013 Thom Langford

The media has been awash with stories about Paris Brown, the UK’s first youth police and crime commissioner who felt she had no option to resign even before formally taking up her post as a result of allegedly offensive messages she had posted on Twitter.

To many, she had done nothing wrong; here was a teenager who was simply testing and pushing the boundaries of her adolescent world, sharing views and comments in her private life in an attempt to learn, identify with and grow into an adult. She had been chosen from a large number of candidates for this role precisely because she was typical of many of her peers, and her views of the world and the society she lived in, warts and all, were almost a requirement of the role in the first place.

To others, she was demonstrating vulgar and offensive sensibilities in a public domain that have no place in a role in public office. To that end Kent Police are currently reviewing the tweets in question so ascertain if a case should be made against her.

I believe this is going to be the thin end of the wedge, and that many more instances of issues like this will come through over the coming years. This is going to have, in my opinion, a number of ramifications in our industry in a number of areas:

BYOD. The adoption of smartphones across society combined with bring your own device policies across industries has meant that the boundaries between personal and professional life are becoming increasingly blurred. This blurring means that people will increasingly lose the definition between what can and can’t be shared from the workplace which is going to become an issue. Sharing confidential documents via a BYOD enabled smartphone to personal accounts so they can be worked from home is not going to be seen as an issue; the content is on “my” device after all. Tweeting or blogging about activities from the workplace is increasingly the norm, even if those activities are confidential or secret. Even the acronym NSFW, not safe for work, has evolved to identify what content may or not be suitable for viewing and sharing in the workplace (how else can I get the time to view all of this awesome content?). As quickly as NSFW has come about I predict it’s demise as these boundaries crumble and fall and anything and everything will be considered as acceptable to view at work as long as it is on “my device”.

Privacy vs Personal. There has been a growing trend amongst recruiters to look at the social media profiles of potential candidates. There is nothing illegal or unethical in this per se, although even standard police employment checks for the kind of role Paris Brown was entering into don’t specifically call out the need for social media checks/reviews. This is the dichotomy of the situation; how can I expect privacy when I do not observe it with my company data, and yet posting my weekends antics to my friends should remain with my friends, and yet this is the very real expectation it seems. How long will it be before this crashing realisation for a generation of people that what they have done in their adolescent years as they grew up really wasn’t just between friends but between the whole world, and put them at a distinct disadvantage in the job market? And will this realisation bring a raft of legislation along the lines of age discrimination, that disallows the use of this information during interview? There have already been cases of prospective employers in the US asking for Facebook credentials of candidates in order to check their backgrounds. Whilst this does cross moral, ethical and professional lines in many of our books, this is the inevitable alternative if this legislation doesn’t come in. As an infosec industry we will be on the front line of educating people of these consequences and potentially enforcing any incoming legislation in the workplace.

Professionalism in our Industry. But what about the here and now? As a profession we are held to a high standard of professional standards and ethics. All the organisations that we affiliate ourselves with to one extent or another have clear professional ethics. If during the recruitment process you have an opportunity to review somebodies social media background, would you take it? How would you use that information, and to what extent would a checkered social life influence your decisions? There are two sides to this of course; do your professional ethics stop you from looking (or just taking action from them), but then again would you want someone who appears to display a lack of self control and publicly put themselves into position of vulnerability that may allow them to be more easily bribed or blackmailed in an area that demands high levels of security and trust?

This generational gap in appreciation of the long lasting impacts of current social media in the world of big data is an area I believe is yet to be addressed fully. The sociological impacts of a series of younger generations engaging with an always on culture of social media are not yet fully understood and should be explored further. I hope the above is dipping a toe in the water of this huge body of water. Ultimately, if you are not paying for it, you are not the customer; you are the product…

EU Security Blogger Awards 2013

Leave a comment April 13, 2013 Thom Langford

It is not often I am inspired enough to write a post at the breakfast table, let alone on a Saturday, but that is exactly what is happening now. Brian Honan (@brianhonan) just this morning announced the opening of the EU Security Blogger Awards voting.
I had taken the time last week to vote for the nominees for this award as I felt strongly that while there is a strong infosec community in Europe we rarely shout about the fact. I also noticed that many of the blogs and twitter feeds I follow are USA based; nothing wrong with that per se, but as a result I was losing a certain element of relevance in my reading, education and therefore understanding about the issues that affect us in the industry, and specifically in the EU.
With Brian’s announcement I duly voted and todays announcement is the result of that process, namely the nominations for the awards. As a result of this however two wonderful things have come about; firstly, I have been given a rich seam of bloggers and tweeters to follow! This is like being given free textbooks at school, or a free subscription to your favourite infosec magazine. I fully intend to tap this source of information to its fullest extent in the coming weeks.
Secondly, I was both amazed and honoured to have been nominated in the category of Best Personal Security Blog! This is a tremendous surprise and somewhat daunting given the company I am keeping in this category. I am all the more humbled by the fact that this nomination was made possible because of people voting; to those of you who gave your unsolicited vote for me to be in this category, I thank you.
So I would urge all of you who read this to not only look at the nominations at the above link to see who else is out here in the EU blogging space, but also to vote and really underscore the fact that the EU blogging community is large, noisy, vibrant, informed, opinionated and above all active in the information security community. Your cheques will be in the post shortly.